I just restored the factory image on my PC and am still getting redirected to Scour, my-search-results and other various malicious sites. I followed the malware removal 8 step process and here's what I came up with. I know you guys are busy helping people - we really appreciate it.
_________________________________________________________________
MBAM Log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5129
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
11/16/2010 6:13:38 PM
mbam-log-2010-11-16 (18-13-38).txt
Scan type: Quick scan
Objects scanned: 138389
Time elapsed: 2 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
_________________________________________________________________
GMER Log
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-16 18:19:52
Windows 6.1.7600
Running: h65kxkux.exe
---- Files - GMER 1.0.15 ----
File C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb 524288 bytes
---- EOF - GMER 1.0.15 ----
________________________________________________________________
Attach.txt (from DDS)
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-11-10.01)
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 11/16/2010 5:23:42 PM
System Uptime: 11/16/2010 6:07:49 PM (0 hours ago)
Motherboard: MICRO-STAR INTERNATIONAL CO.,LTD | | P43 Neo3 (MS-7514)
Processor: Pentium(R) Dual-Core CPU E5300 @ 2.60GHz | CPU 1 | 2603/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 425 GiB total, 406.94 GiB free.
D: is FIXED (NTFS) - 40 GiB total, 35.683 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1: 11/16/2010 5:25:05 PM - Windows Update
RP2: 11/16/2010 5:45:17 PM - Windows Update
==== Installed Programs ======================
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Avira AntiVir Personal - Free Antivirus
DirectX 9 Runtime
JMicron JMB36X Driver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
NVIDIA Stereoscopic 3D Driver
Realtek Ethernet Controller Driver For Windows Vista and Later
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio BackOnTrack
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio Creator XE
Roxio Express Labeler 3
Roxio Update Manager
==== Event Viewer Messages From Past Week ========
11/16/2010 6:07:06 PM, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
11/16/2010 6:06:03 PM, Error: Service Control Manager [7034] - The NVIDIA Stereoscopic 3D Driver Service service terminated unexpectedly. It has done this 1 time(s).
==== End Of File ===========================
________________________________________________________________
DDS.txt (also from DDS)
DDS (Ver_10-11-10.01) - NTFS_AMD64
Run by Matt at 18:21:23.64 on Tue 11/16/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4095.2949 [GMT -5:00]
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10a.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Matt\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
============= SERVICES / DRIVERS ===============
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-11-11 55280]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2010-11-16 135336]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2010-11-16 267944]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2010-11-16 81584]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-8-17 239648]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-11-11 239616]
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2009-6-10 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2009-6-10 166384]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-6-10 1124848]
=============== Created Last 30 ================
2010-11-17 01:15:27 -------- d-----w- C:\Windows\System32\catroot2
2010-11-16 23:10:18 -------- d-----w- C:\Users\Matt\AppData\Roaming\Malwarebytes
2010-11-16 23:10:13 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2010-11-16 23:10:11 -------- d-----w- C:\PROGRA~3\Malwarebytes
2010-11-16 23:10:10 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-11-16 23:10:10 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-11-16 23:04:24 -------- d-----w- C:\Users\Matt\AppData\Roaming\Avira
2010-11-16 23:03:00 81584 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2010-11-16 23:02:59 -------- d-----w- C:\Program Files (x86)\Avira
2010-11-16 23:02:59 -------- d-----w- C:\PROGRA~3\Avira
2010-11-16 22:57:23 169320 ----a-w- C:\PROGRA~3\Microsoft\Windows\Sqm\Manifest\Sqm10135.bin
2010-11-16 22:45:32 8006480 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{22031B4C-B693-45C7-B04C-D087610C6BF0}\mpengine.dll
2010-11-16 22:45:31 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-11-16 22:25:03 220672 ----a-w- C:\Windows\System32\wintrust.dll
2010-11-16 22:25:03 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2010-11-16 22:25:03 139264 ----a-w- C:\Windows\System32\cabview.dll
2010-11-16 22:25:03 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
==================== Find3M ====================
============= FINISH: 18:21:47.69 ===============
_________________________________________________________________
Any help is greatly appreciated. I just did a fresh install but somehow this malware continues to redirect me to these malicious sites.
Thanks again,
Matt
_________________________________________________________________
MBAM Log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5129
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
11/16/2010 6:13:38 PM
mbam-log-2010-11-16 (18-13-38).txt
Scan type: Quick scan
Objects scanned: 138389
Time elapsed: 2 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
_________________________________________________________________
GMER Log
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-16 18:19:52
Windows 6.1.7600
Running: h65kxkux.exe
---- Files - GMER 1.0.15 ----
File C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb 524288 bytes
---- EOF - GMER 1.0.15 ----
________________________________________________________________
Attach.txt (from DDS)
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-11-10.01)
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 11/16/2010 5:23:42 PM
System Uptime: 11/16/2010 6:07:49 PM (0 hours ago)
Motherboard: MICRO-STAR INTERNATIONAL CO.,LTD | | P43 Neo3 (MS-7514)
Processor: Pentium(R) Dual-Core CPU E5300 @ 2.60GHz | CPU 1 | 2603/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 425 GiB total, 406.94 GiB free.
D: is FIXED (NTFS) - 40 GiB total, 35.683 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1: 11/16/2010 5:25:05 PM - Windows Update
RP2: 11/16/2010 5:45:17 PM - Windows Update
==== Installed Programs ======================
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Avira AntiVir Personal - Free Antivirus
DirectX 9 Runtime
JMicron JMB36X Driver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
NVIDIA Stereoscopic 3D Driver
Realtek Ethernet Controller Driver For Windows Vista and Later
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio BackOnTrack
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio Creator XE
Roxio Express Labeler 3
Roxio Update Manager
==== Event Viewer Messages From Past Week ========
11/16/2010 6:07:06 PM, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
11/16/2010 6:06:03 PM, Error: Service Control Manager [7034] - The NVIDIA Stereoscopic 3D Driver Service service terminated unexpectedly. It has done this 1 time(s).
==== End Of File ===========================
________________________________________________________________
DDS.txt (also from DDS)
DDS (Ver_10-11-10.01) - NTFS_AMD64
Run by Matt at 18:21:23.64 on Tue 11/16/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4095.2949 [GMT -5:00]
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10a.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Matt\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
============= SERVICES / DRIVERS ===============
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-11-11 55280]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2010-11-16 135336]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2010-11-16 267944]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2010-11-16 81584]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-8-17 239648]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-11-11 239616]
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2009-6-10 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2009-6-10 166384]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-6-10 1124848]
=============== Created Last 30 ================
2010-11-17 01:15:27 -------- d-----w- C:\Windows\System32\catroot2
2010-11-16 23:10:18 -------- d-----w- C:\Users\Matt\AppData\Roaming\Malwarebytes
2010-11-16 23:10:13 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2010-11-16 23:10:11 -------- d-----w- C:\PROGRA~3\Malwarebytes
2010-11-16 23:10:10 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-11-16 23:10:10 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-11-16 23:04:24 -------- d-----w- C:\Users\Matt\AppData\Roaming\Avira
2010-11-16 23:03:00 81584 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2010-11-16 23:02:59 -------- d-----w- C:\Program Files (x86)\Avira
2010-11-16 23:02:59 -------- d-----w- C:\PROGRA~3\Avira
2010-11-16 22:57:23 169320 ----a-w- C:\PROGRA~3\Microsoft\Windows\Sqm\Manifest\Sqm10135.bin
2010-11-16 22:45:32 8006480 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{22031B4C-B693-45C7-B04C-D087610C6BF0}\mpengine.dll
2010-11-16 22:45:31 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-11-16 22:25:03 220672 ----a-w- C:\Windows\System32\wintrust.dll
2010-11-16 22:25:03 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2010-11-16 22:25:03 139264 ----a-w- C:\Windows\System32\cabview.dll
2010-11-16 22:25:03 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
==================== Find3M ====================
============= FINISH: 18:21:47.69 ===============
_________________________________________________________________
Any help is greatly appreciated. I just did a fresh install but somehow this malware continues to redirect me to these malicious sites.
Thanks again,
Matt